TSA Security Fail
Everybody’s friends over at the TSA had a nice fail at some point when they posted a redacted version of their “Aviation Security Screening Management Standard Operating Procedures” on their web site. Unfortunately for them, redacting by drawing boxes over the text and images in Acrobat doesn’t really do anything useful, the content is still there. It took a few months before someone noticed, but once that happened the Internet took hold and the great guys over at Cryptome stripped all the censoring, replacing it with red boxes to clearly mark what the TSA considers “sensitive” and posted the result on their web site. I’m also mirroring the same here. I’ve skimmed the whole manual and read the censored parts in their entirety, I honestly can’t figure out why they even felt the need to censor. Governments should be open unless they can provide good reason not to be, not closed by default.
TSA Screening Procedures (41)Move complete!
If you are seeing this post, your DNS servers have updated and noticed that my old VPS on JaguarPC is no longer where they should look. My blog and other random shit has now been moved over to Linode, where they don’t block IRC and other things I run on my box.
Steam claiming it is being run in compatibility mode on Vista and Windows 7
Today I had Steam start throwing an error that it is being run in compatibility mode when I had never set such a thing, nor were either the shortcut or EXE itself flagged for compatibility mode. Thanks to a little googling, I found this thread on the Steam forums which finally had a solution.
Open the registry editor (if you don’t know how to do this, you should not be messing around in the registry) and browse to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers. Look for entries in those keys mentioning steam.exe and delete them. Restart Steam and you’re set!
Quick Post-Dayton Update
Got back home from the Dayton Hamvention around 8 PM last night. I went there planning on buying an entry-level HT, but I ended up getting attracted to shiny things and bought a Yaesu VX-7R rather than my intended target of something in the FT-60R range. Made a few contacts on the trip back, unfortunately I don’t remember many calls or names, the only ones I can recall are Ron (W8RON) and I think another guy both Ron and I talked with was named Kyle, I can’t remember his call.
So I’m finally on the air the “proper” way rather than just being tied to Echolink. Woo!
–KD8JQS
Evolution
Evolution
A quick primer to send to any creationists you may know.
Edit: Apparently the Youtube Wordpress auto-post thing neglects to set the title.
Could Pat Robertson get any more out of touch with reality?
Yesterday Pat Robertson made another one of his trademark idiotic statements. In response to Maine providing homosexual couples the right to marry, Mr. Robertson went on CBN and opened his mouth to let this shit dribble out:
Here is a transcript, snagged from Think Progress:
HOST: Meanwhile, the New Hampshire legislature has also voted in favor of gay marriage, but Pat, the governor there still isn’t sure if he will approve that bill.
ROBERTSON: Lee, we haven’t taken this to its ultimate conclusion. You got polygamy out there. How can we rule that polygamy is illegal when you say that homosexual marriage is legal. What is it about polygamy that’s different? Well, polygamy was outlawed because it was considered immoral according to biblical standards. But if we take biblical standards away in homosexuality, what about the other? And what about bestiality and ultimately what about child molestation and pedophilia? How can we criminalize these things and at the same time have constitutional amendments allowing same-sex marriage among homosexuals. You mark my words, this is just the beginning in a long downward slide in relation to all the things that we consider to be abhorrent.
He starts off with what is actually a very good point. If polygamy was made illegal for religious reasons, then it most certainly should not be illegal. Of course my position is the reverse of his, so I see it as “so why is polygamy still illegal?” He then steps off the logic bus and boards the crazy train by claiming the next steps would then be bestiality and pedophilia. There’s this little detail he’s ignoring of course, and that is informed adult consent. Homosexual marriages are between two consenting adults. Polygamy would also be a number of marriages between consenting adults. Bestiality, pedophilia, and all the other things the Christian crazies claim necessarily follow gay marriage clearly don’t.
Can someone please tell me why people keep listening to this ignorant idiot?
Video courtesy Media Matters.
Transcript and inspiration to write courtesy Think Progress.
VMware ESXi 3.5u4, Intel SATA, and local datastores
This morning I rebooted my test box running VMware ESXi 3.5 to complete the upgrade from Update 3 to Update 4. The hypervisor came back up, but no guests were running and when I popped open the VI Client it indicated that there were no datastores configured and it could not find any of the virtual machines I had in inventory. It saw the internal disks and that they were formatted VMFS, but would not allow me to do anything other than format them over again.
Normally this would have simply annoyed me since I would have lost my test VMs, but they don’t take long to build so I’d have just formatted them and gone on with my day. Unfortunately within the last week we had temporarily moved a critical application’s VM to this box and we had not properly reconfigured backup. I could restore from the week old backup, but there would be hell to pay.
Since the VMFS partitions were clearly visible I felt I had a chance, but I’m still new to ESX/ESXi so my first step was to flip over to my always running irssi session (if you use IRC and do not use screened irssi, go Google it now and enjoy) and ask for help in #shsc and #vmware. #shsc always has a few guys who work on large VMware installs idling, and of course #vmware is obvious. While waiting for any input from IRC, I went to Google for my next step. I knew ESXi has the capability to be accessed via SSH, but it’s disabled by default, so I looked up how to turn it on. A few minutes later after bringing a monitor over to the machine and rebooting it I had SSH access and could go through system logs from the comfort of my laptop.
In /var/log/messages I found two entries referencing my SATA controller which looked interesting:
May 5 14:34:35 vmkernel: 0:00:06:39.406 cpu0:3616)ALERT: LVM: 4482: vmhba000:0:0:3 may be snapshot: disabling access. See resignaturing section in SAN config guide.
May 5 14:34:35 vmkernel: 0:00:06:39.408 cpu0:3616)ALERT: LVM: 4482: vmhba0:0:0:1 may be snapshot: disabling access. See resignaturing section in SAN config guide.
This information, after a quick trip to Google, led to VMware’s SAN configuration guide which references similar issues occurring on SANs, so I tried enabling the resignaturing option and magically my datastores reappeared. After renaming them back to their original names and turning the resignaturing option back off I had all my data and was able to download the disk images and VMX files so I was safe in the event of a major problem.
At this point, I could see my VMs but the VI inventory was still convinced that they were on the “old drives”, so after a bit more time on Google I discovered the Import feature within the datastore browser and I was able to bring the VMs back in and get them booting up.
Screenshot showing my datastores and two VMs running
After confirming that the VMs I really needed were booting and operational, I shut everything down to move the server back to its spot in my rack. Fortunately everything came right back up so the pressure was now off.
Now my concerns shifted. If this happened once, what’s to stop it from happening again? I needed to figure out why it happened. Fortunately at nearly the exact moment I started thinking about this IRC came through for me. “jidar” in #shsc linked to this thread on VMware’s forum with literally the exact same symptoms. A few posts down was a link to this page which again matched my experience exactly and says that U4 updated a number of SATA drivers including the one for the ICH9 controller in my PowerEdge and changed the way they appear to the hypervisor, which led to it not recognizing the drives for what they are.
Right now I’m moderately annoyed at an update that’s not even enough to earn it a minor version number bump on a piece of software intended for enterprise use having a change with the potential to cause this, but on the other hand I don’t expect anyone who really cares about reliability to be using SATA local storage. Ah well, I learned a bit about navigating around ESXi’s internals.
Coming Soon: Comparison of PC-based router/firewall platforms
Over the coming weeks I will be spending one week each with a number of PC-based router/firewall products installed as the primary NAT gateway at my apartment. I will be reviewing them based on overall performance, interoperability with my SIP-based VoIP service, QoS capabilities, VPN capabilities, and any extra features that make them stand out from the crowd.
The test platform will be a Dell PowerEdge SC430 with a 1.6 GHz Intel Xeon dual core processor and 4GB of RAM. The current list of software to test is as follows:
I will also be testing “appliance” type routers based on what is available to me, which currently is as follows:
- Linksys WRT54GL (Linksys firmware 4.30.12)
- Linksys WRT54GL (Tomato 1.23)
- Linksys WRT54GL (DD-WRT v24 SP1 Mega)
- Linksys WRT54GL (OpenWRT Kamikaze 8.09)
- Cisco 1841 (IOS 12.4(23))
- Watchguard Firebox X Edge
- Edgewater Edgemarc 4500 (VOS 9.1.2)
The Watchguard is currently unknown due to not having the password for it and I may cut down the list of Linksys firmwares, but all of the rest will be tested.
Hardware or software suggestions for further testing are appreciated.
On “religious freedom” in the workplace…
With the Obama administration looking like they will be rolling back Bush era policies allowing doctors to refuse to perform certain procedures and/or refuse to prescribe or sell certain medications (let’s say RU-486 for example) the Internet’s political debate hotspots have erupted as expected. Over at the Something Awful forums I saw a great post that completely explains my position on this issue:
It’s a sad reflection on the influence of the religious right that this is even a noteworthy issue. If you work at Burger King, and one day you decide that you don’t like the Double Whopper and won’t serve it to people anymore (say, for reasons of their health), you get fired. If you’re an network administrator and one day decide that TCP/IP is the devil’s protocol and you won’t use it, you get fired. The list goes on. Giving people the legal medication they need is the job of the pharmacist and doctor. Their job is not “Make value judgments about my patients and then prescribe what medications I personally believe are good”. We have a central regulatory body that determines what medicines and procedures are legal to give out and perform. Doctors and pharmacists are expected to adhere to these. A pharmacist who decided that he would no longer give cancer patients their drugs or a doctor who decided he will substitute phrenology for a general exam would find themselves out of jobs in short order. The only reason this is an issue is because for some reason “It’s my religion!” is taken as a valid excuse for not doing your job.
If you are a pharmacist, it is your job to dispense medications as prescribed. Your personal morals have absolutely no legitimate influence on this. If you do not like this fact, find another job. What the right wing wants here would be equivalent to a pacifist joining the Marines and then complaining that they were being sent to war.
If you’re still convinced that this “religious freedom” is the right option, pretend you live in a small town with one local doctor. Now pretend that doctor is a Jehova’s Witness. Now think about what happens if you or a loved one needs a transfusion. Your local doctor would then be fully able to refuse to give you/your loved one a transfusion because it goes against their religion.
If you don’t like the job requirements, find another job. Don’t whine that you chose a job that conflicts with your beliefs. Put up or shut up, either way your morals don’t have any effect on me.
Potentially serious vulnerability in a number of SIP endpoints
Sjur Usken and Sandro Gauci have discovered a major flaw in the SIP implementations on a wide range of IP phones. The short explanation is that the phones do not verify where a proxy authentication request is coming from and happily return the SIP authentication information. It is hashed and salted, but the salt is chosen by the attacker, so a set of rainbow tables would make cracking it trivial. For full details, check out Sjur’s blog post (which spread fairly rapidly around the VoIP world) and his latest post showing the trace as he attacked a Cisco 7940 I set up for this purpose.
Until the phone vendors release fixed firmware (if they do) the only way to defend yourself from this is to not have phones exposed on public IP addresses. If they have to be for some reason (we all know SIP and NAT really don’t get along, and proper SIP aware NAT devices cost a fair bit) set firewall rules that prevent the phones from speaking SIP to any IPs that aren’t part of your VoIP system. Alternatively, in the event that every single phone on your system is statically addressed, the reverse could be done at the registrar side. It wouldn’t stop the attackers from finding the password, but it would prevent them from using it in any way.
The implications of an attacker gaining the SIP authentication information are of course severe, once they have that they can imitate the attacked phone and make calls to any number of regions potentially costing thousands of dollars in the course of a single night.